{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#  More than usual number of LOLBAS applications in short time period\n",
    "\n",
    "Attacker activity may compromise executing several LOLBAS applications in conjunction to accomplish their objectives. We are looking for more than usual LOLBAS applications over a window of time, by building profiles per machine.\n"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 3,
   "metadata": {
    "execution": {
     "iopub.execute_input": "2020-10-15T21:42:08.429572Z",
     "iopub.status.busy": "2020-10-15T21:42:08.429312Z",
     "iopub.status.idle": "2020-10-15T21:42:15.742444Z",
     "shell.execute_reply": "2020-10-15T21:42:15.741830Z",
     "shell.execute_reply.started": "2020-10-15T21:42:08.429549Z"
    }
   },
   "outputs": [
    {
     "data": {
      "application/vnd.jupyter.widget-view+json": {
       "model_id": "c27fe9ebed854de3b9d45c5f643cbbdb",
       "version_major": 2,
       "version_minor": 0
      },
      "text/plain": [
       "HBox(children=(HTML(value=''), FloatProgress(value=0.0, max=5.0), HTML(value='')))"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      " Finished.                     "
     ]
    },
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>start_time</th>\n",
       "      <th>window_trigger</th>\n",
       "      <th>entities</th>\n",
       "      <th>quantile</th>\n",
       "      <th>end_time</th>\n",
       "      <th>window_start</th>\n",
       "      <th>label</th>\n",
       "      <th>body</th>\n",
       "      <th>device</th>\n",
       "      <th>lolbas_counter</th>\n",
       "      <th>timestamp</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>2020-09-24 17:10:00</td>\n",
       "      <td>1600967399999</td>\n",
       "      <td>[5gUXDbXvVfgC/FEpZOFUaA==]</td>\n",
       "      <td>1</td>\n",
       "      <td>2020-09-24 17:10:00</td>\n",
       "      <td>1600967100000</td>\n",
       "      <td>True</td>\n",
       "      <td>TBD</td>\n",
       "      <td>5gUXDbXvVfgC/FEpZOFUaA==</td>\n",
       "      <td>7</td>\n",
       "      <td>2020-09-24 17:10:00</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>2020-09-24 17:45:00</td>\n",
       "      <td>1600969499999</td>\n",
       "      <td>[5gUXDbXvVfgC/FEpZOFUaA==]</td>\n",
       "      <td>1</td>\n",
       "      <td>2020-09-24 17:45:00</td>\n",
       "      <td>1600969200000</td>\n",
       "      <td>True</td>\n",
       "      <td>TBD</td>\n",
       "      <td>5gUXDbXvVfgC/FEpZOFUaA==</td>\n",
       "      <td>9</td>\n",
       "      <td>2020-09-24 17:45:00</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>2020-09-24 17:55:00</td>\n",
       "      <td>1600970099999</td>\n",
       "      <td>[IaNYgFTNQvyVmJNuPr58dQ==]</td>\n",
       "      <td>1</td>\n",
       "      <td>2020-09-24 17:55:00</td>\n",
       "      <td>1600969800000</td>\n",
       "      <td>True</td>\n",
       "      <td>TBD</td>\n",
       "      <td>IaNYgFTNQvyVmJNuPr58dQ==</td>\n",
       "      <td>9</td>\n",
       "      <td>2020-09-24 17:55:00</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>2020-09-24 18:00:00</td>\n",
       "      <td>1600970399999</td>\n",
       "      <td>[lQ+9FBHxYQK/q8qXcrTE9A==]</td>\n",
       "      <td>1</td>\n",
       "      <td>2020-09-24 18:00:00</td>\n",
       "      <td>1600970100000</td>\n",
       "      <td>True</td>\n",
       "      <td>TBD</td>\n",
       "      <td>lQ+9FBHxYQK/q8qXcrTE9A==</td>\n",
       "      <td>9</td>\n",
       "      <td>2020-09-24 18:00:00</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>2020-09-24 22:20:00</td>\n",
       "      <td>1600985999999</td>\n",
       "      <td>[zMnUW93edd+Q+ovwebxbRw==]</td>\n",
       "      <td>1</td>\n",
       "      <td>2020-09-24 22:20:00</td>\n",
       "      <td>1600985700000</td>\n",
       "      <td>True</td>\n",
       "      <td>TBD</td>\n",
       "      <td>zMnUW93edd+Q+ovwebxbRw==</td>\n",
       "      <td>5</td>\n",
       "      <td>2020-09-24 22:20:00</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>2020-09-24 23:30:00</td>\n",
       "      <td>1600990199999</td>\n",
       "      <td>[ZTQ/ltGlScpA4WGbfRJ0Xg==]</td>\n",
       "      <td>1</td>\n",
       "      <td>2020-09-24 23:30:00</td>\n",
       "      <td>1600989900000</td>\n",
       "      <td>True</td>\n",
       "      <td>TBD</td>\n",
       "      <td>ZTQ/ltGlScpA4WGbfRJ0Xg==</td>\n",
       "      <td>5</td>\n",
       "      <td>2020-09-24 23:30:00</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>2020-09-25 14:25:00</td>\n",
       "      <td>1601043899999</td>\n",
       "      <td>[lQ+9FBHxYQK/q8qXcrTE9A==]</td>\n",
       "      <td>1</td>\n",
       "      <td>2020-09-25 14:25:00</td>\n",
       "      <td>1601043600000</td>\n",
       "      <td>True</td>\n",
       "      <td>TBD</td>\n",
       "      <td>lQ+9FBHxYQK/q8qXcrTE9A==</td>\n",
       "      <td>12</td>\n",
       "      <td>2020-09-25 14:25:00</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>2020-09-26 05:05:00</td>\n",
       "      <td>1601096699999</td>\n",
       "      <td>[OWUYaWKrJeuOY71+TXoqiw==]</td>\n",
       "      <td>1</td>\n",
       "      <td>2020-09-26 05:05:00</td>\n",
       "      <td>1601096400000</td>\n",
       "      <td>True</td>\n",
       "      <td>TBD</td>\n",
       "      <td>OWUYaWKrJeuOY71+TXoqiw==</td>\n",
       "      <td>38</td>\n",
       "      <td>2020-09-26 05:05:00</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "           start_time  window_trigger  ... lolbas_counter           timestamp\n",
       "0 2020-09-24 17:10:00   1600967399999  ...              7 2020-09-24 17:10:00\n",
       "1 2020-09-24 17:45:00   1600969499999  ...              9 2020-09-24 17:45:00\n",
       "2 2020-09-24 17:55:00   1600970099999  ...              9 2020-09-24 17:55:00\n",
       "3 2020-09-24 18:00:00   1600970399999  ...              9 2020-09-24 18:00:00\n",
       "4 2020-09-24 22:20:00   1600985999999  ...              5 2020-09-24 22:20:00\n",
       "5 2020-09-24 23:30:00   1600990199999  ...              5 2020-09-24 23:30:00\n",
       "6 2020-09-25 14:25:00   1601043899999  ...             12 2020-09-25 14:25:00\n",
       "7 2020-09-26 05:05:00   1601096699999  ...             38 2020-09-26 05:05:00\n",
       "\n",
       "[8 rows x 11 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "\n"
     ]
    },
    {
     "data": {
      "text/plain": [
       "<spl2_kernel.spl2_runner.SPL2Job at 0x7f82f515dc10>"
      ]
     },
     "execution_count": 3,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "| from read_text(\"s3://smle-experiments/datasets/ssa/T1059.all.labeled.lolbas-test.json\")\n",
    "| select from_json_object(value) as input_event\n",
    "| eval timestamp=ucast(map_get(input_event, \"_time\"), \"long\", null)\n",
    " | eval device=ucast(map_get(input_event, \"dest_device_id\"), \"string\", null),\n",
    " process_name=lower(ucast(map_get(input_event, \"process_name\"), \"string\", null))\n",
    " | where process_name==\"regsvcs.exe\" OR process_name==\"ftp.exe\" OR process_name==\"dfsvc.exe\" OR process_name==\"rasautou.exe\" OR process_name==\"schtasks.exe\" OR process_name==\"xwizard.exe\" OR process_name==\"findstr.exe\" OR process_name==\"esentutl.exe\" OR process_name==\"cscript.exe\" OR process_name==\"reg.exe\" OR process_name==\"csc.exe\" OR process_name==\"atbroker.exe\" OR process_name==\"print.exe\" OR process_name==\"pcwrun.exe\" OR process_name==\"vbc.exe\" OR process_name==\"rpcping.exe\" OR process_name==\"wsreset.exe\" OR process_name==\"ilasm.exe\" OR process_name==\"certutil.exe\" OR process_name==\"replace.exe\" OR process_name==\"mshta.exe\" OR process_name==\"bitsadmin.exe\" OR process_name==\"wscript.exe\" OR process_name==\"ieexec.exe\" OR process_name==\"cmd.exe\" OR process_name==\"microsoft.workflow.compiler.exe\" OR process_name==\"runscripthelper.exe\" OR process_name==\"makecab.exe\" OR process_name==\"forfiles.exe\" OR process_name==\"desktopimgdownldr.exe\" OR process_name==\"control.exe\" OR process_name==\"msbuild.exe\" OR process_name==\"register-cimprovider.exe\" OR process_name==\"tttracer.exe\" OR process_name==\"ie4uinit.exe\" OR process_name==\"sc.exe\" OR process_name==\"bash.exe\" OR process_name==\"hh.exe\" OR process_name==\"cmstp.exe\" OR process_name==\"mmc.exe\" OR process_name==\"jsc.exe\" OR process_name==\"scriptrunner.exe\" OR process_name==\"odbcconf.exe\" OR process_name==\"extexport.exe\" OR process_name==\"msdt.exe\" OR process_name==\"diskshadow.exe\" OR process_name==\"extrac32.exe\" OR process_name==\"eventvwr.exe\" OR process_name==\"mavinject.exe\" OR process_name==\"regasm.exe\" OR process_name==\"gpscript.exe\" OR process_name==\"rundll32.exe\" OR process_name==\"regsvr32.exe\" OR process_name==\"regedit.exe\" OR process_name==\"msiexec.exe\" OR process_name==\"gfxdownloadwrapper.exe\" OR process_name==\"presentationhost.exe\" OR process_name==\"regini.exe\" OR process_name==\"wmic.exe\" OR process_name==\"runonce.exe\" OR process_name==\"syncappvpublishingserver.exe\" OR process_name==\"verclsid.exe\" OR process_name==\"psr.exe\" OR process_name==\"infdefaultinstall.exe\" OR process_name==\"explorer.exe\" OR process_name==\"expand.exe\" OR process_name==\"installutil.exe\" OR process_name==\"netsh.exe\" OR process_name==\"wab.exe\" OR process_name==\"dnscmd.exe\" OR process_name==\"at.exe\" OR process_name==\"pcalua.exe\" OR process_name==\"cmdkey.exe\" OR process_name==\"msconfig.exe\" \n",
    " | stats count(process_name) as lolbas_counter by device,span(timestamp, 300s) \n",
    " | eval lolbas_counter=lolbas_counter*1.0\n",
    " | rename window_end as timestamp\n",
    " | adaptive_threshold algorithm=\"quantile\" value=\"lolbas_counter\" entity=\"device\" window=2419200000L\n",
    " | where label AND quantile>0.99 \n",
    " | eval start_time = timestamp, end_time = timestamp, entities = mvappend(device), body = \"TBD\";"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": []
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "SPL2",
   "language": "SPL",
   "name": "spl2"
  },
  "language_info": {
   "mimetype": "text/spl",
   "name": "SPL"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}
